Software update on obsolete system: is it real?

apple.stackexchange https://apple.stackexchange.com/questions/373461

Question

I've got an old PowerPC Mac Mini running Leopard that I keep around to run legacy software. Today, for the first time in years, Software Update opened up, offering to upgrade Airport Utility from 5.2.2 to 5.6.1.

Is this a genuine update, and if so, why is it showing up now, more than a decade after support for both the OS and the hardware ended?

Was it helpful?

Solution

This is real, yes. A lot of older software updates (but also newer ones e.g. some 10.14.6 Supplemental Update from September 2019!) are signed with a certificate which becomes/became invalid on Oct, 24 2019.

To keep them in the update game the intermediate certificate authority and its certficates have been replaced – the payload stays the same – and they have been republished/reissued.

Further readings (with pics I don't want to deep-link here 👼):

  1. Beware Apple security certificates after 24 October: they may have expired

  2. Certificate used to sign older Apple software expiring on October 24, 2019

To check the validity of software installer packages use:

pkgutil --check-signature /path/to/package.pkg

Example (the OSInstall.pkg inside the InstallESD.dmg of Install macOS Sierra.app d/led on Feb, 26 2019):

pkgutil --check-signature /Volumes/OS\ X\ Install\ ESD/Packages/OSInstall.pkg 
Package "OSInstall.pkg":
   Status: signed by a certificate that has since expired
   Certificate Chain:
    1. Software Update
       SHA1 fingerprint: 1E 34 E3 91 C6 44 37 DD 24 BE 57 B1 66 7B 2F DA 09 76 E1 FD
       -----------------------------------------------------------------------------
    2. Apple Software Update Certification Authority
       SHA1 fingerprint: FA 02 79 0F CE 9D 93 00 89 C8 C2 51 0B BC 50 B4 85 8E 6F BF
       -----------------------------------------------------------------------------
    3. Apple Root CA
       SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C 60

To check dmgs use:

spctl -a -t open --context context:primary-signature -v /path/to/dmg
spctl -a -v /path/to/dmg

or

codesign -dvvv /path/to/dmg

Not all dmgs are codesigned! The precise command is sometimes macOS-version-dependent, or requires a min macOS/OS X version. Please check man <command> (eg: man spctl).

OTHER TIPS

According to Apple's support pages, Airport Utility 5.6.1 was released back in June 2012. Why your Mac never noticed this update (or any of the others since 5.2.2) till now is a mystery. But it is a valid update.

Licensed under: CC-BY-SA with attribution
Not affiliated with apple.stackexchange
scroll top